Date: Wed, 26 Aug 1998 11:50:15 +0200
From: Walter Hafner <[email protected]>
To: [email protected]Subject: News DoS using sendsys
I think we (a local ISP in Augsburg/Germany ...) are hit by an DoS that
wasn't described here before:
Our newsserver (INN) all of a sudden gets several 100 'sendsys' requests
per day. The addresses of the people requesting the sendsys seem to be
completely random. They all seem to be normal user-accounts. We see
these sendsys requests for about a week now.
Since our INN is configured to report all 'unusual' control messages to
the news-administrators, rather than to execute it, the DoS doesn't hurt
us very much. My Mailfolder now usually looks like:
N 2 Aug 26 News Subsystem (74) sendsys by [email protected]
N 3 Aug 26 News Subsystem (53) sendsys by [email protected].
N 4 Aug 26 News Subsystem (64) sendsys by [email protected].
N 5 Aug 26 News Subsystem (64) sendsys by [email protected]
N 6 Aug 26 News Subsystem (66) sendsys by [email protected]
The body of the mails look like:
jf enbg kg
wwt ncoy psb
bdoo ldb jg
aqk gsic jnsy
td mvdo gvui
mt uhlq pab
nicw vvk knb
kqqu ippi htji
bsp vpq hdm
[...]
I didn't bother to check the validity of the addresses (note the double
addresses).
I can imagine two impacts on small ISP's:
- the lines of the ISP can get overloaded (if you're a small ISP like we
are, and have only very limited bandwidth, this can be an issue)
- If you have only limited resources and use one machine to do Mail and
News, this machine will slow down considerably. Furthermore, your
spooling partition could overflow (if it is handling News _and_ Mail)
and throttle the INN.
Fortunately, this DoS is very easy to stop: Just make sure, that the
Newsserver doesn't reply to a 'sendsys' automatically.
-Walter
--
Walter Hafner_______________________________ [email protected]
<A href=http://www.in.tum.de/~hafner/>*CLICK*</A>
The best observation I can make is that the BSD Daemon logo
is _much_ cooler than that Penguin :-) (Donald Whiteside)